Determining when AD FS token signing and token decryption certificates expire

Owned by Knowledge Assistant
Last updated: Mar 23, 2022
1 min read



Description of Issue

We know that our certificates for ADFS expire soon but have lost record of the exact date



Context

  • AD FS

  • Authentication

  • Certificates

  • OKTA

  • TID-W

  • Tyler Identity Workforce



Cause

At the initial configuration time and when the certificates are approaching their expiration date AD FS is configured to generate token signing and token decryption certificates automatically. These certificates need to be uploaded to Okta when changed for Tyler clients integrating with Tyler Identity Workrforce (TID-W) to avoid service interruption



Resolution

  1. Run the below PowerShell scripts to determine primary token signing and token decrypting certificates expiry schedule

    1. Get-AdfsCertificate –CertificateType token-signing

    2. Get-AdfsCertificate –CertificateType token-decrypting

  2. Contact Tyler Systems Management to coordinate replacement of certificates in Okta before expiration date



Additional Information

  • The IsPrimary value set to True designates the certificate that AD FS is currently using

  • The date by which a new primary token signing or decrypting certificate must be configured is designated by the NotAfter value